Juniper SRX – Dynamic VPN Wizard

19 07 2011

Just managed to set up a Juniper Dynamic VPN using the web interface’s wizard in about half an hour – bonzer compared to the last time I did it at the CLI, which seemed to take two days.

There are a couple of things to watch out for though.  Although the wizard is very good, it doesn’t do a couple of important things for you that are going to stop things working.  (This is based on the assumption that your SRX has a fairly default config, and your VPN clients are coming in on the ‘untrust’ zone):

  • You will need to enable the HTTP and HTTPS on the untrust interface (e.g. ‘set sys services web-management http interface ge-0/0/0’ and the same again for https)
  • Be sure to permit HTTP and HTTPS inbound on the untrust zone (e.g. ‘set security zone security-zone untrust host-inbound-traffic system-services http’ and the same again for https)

The resulting config from the wizard looks like this (ge-0/0/14 is my outside/untrust interface in this instance):

[edit]
root# show security 
ike {
    policy ike_pol_wizard_dyn_vpn {
        mode aggressive;        # Must be aggressive, not main mode
        proposal-set compatible;
        pre-shared-key ascii-text "$9$RkbElM7Nb2oGVw.P"; ## SECRET-DATA
    }
    gateway gw_wizard_dyn_vpn {
        ike-policy ike_pol_wizard_dyn_vpn;
        dynamic {
            hostname NoName;
            connections-limit 50;
            ike-user-type group-ike-id;
        }
        external-interface ge-0/0/14.0;
        xauth access-profile remote_access_profile;
    }
}
ipsec {
    policy ipsec_pol_wizard_dyn_vpn {
        perfect-forward-secrecy {
            keys group2;
        }
        proposal-set compatible;
    }                                   
    vpn wizard_dyn_vpn {
        ike {
            gateway gw_wizard_dyn_vpn;
            ipsec-policy ipsec_pol_wizard_dyn_vpn;
        }
    }
}
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            vlan.0;
            ge-0/0/0.0;
        }
    }
    security-zone untrust {
        screen untrust-screen;
        host-inbound-traffic {
            system-services {
                ike;
                http;
                https;
            }                           
        }
        interfaces {
            ge-0/0/14.0;
        }
    }
}
policies {
    from-zone trust to-zone untrust {
        policy trust-to-untrust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone untrust to-zone trust {
        policy policy_in_wizard_dyn_vpn {
            match {
                source-address any;     
                destination-address any;
                application any;
            }
            then {
                permit {
                    tunnel {
                        ipsec-vpn wizard_dyn_vpn;
                    }
                }
            }
        }
    }
}
dynamic-vpn {
    access-profile remote_access_profile;
    clients {
        wizard-dyn-group {
            remote-protected-resources {
                192.168.5.0/24;
            }
            ipsec-vpn wizard_dyn_vpn;
            user {
                andy;                   
            }
        }
    }
}

And the other bit the wizard didn’t do:

root# show system services 
ssh;
telnet;
xnm-clear-text;
web-management {
    http {
        interface [ vlan.0 ge-0/0/0.0 ge-0/0/14.0 ];
    }
    https {
        system-generated-certificate;
        interface [ vlan.0 ge-0/0/14.0 ];
    }
}
Advertisements

Actions

Information

2 responses

8 11 2011
sharp

Hey, thanks for the post, do u know if there is any way we can have vpn access on a mac if i have an srx 100? Is there a client that exists out there? I know pulse is not compatible with windows but can we use the cisco setting on mac to do that? thanks

10 11 2011
DataPlumber

Hi there –
I’ve been meaning to try this one: http://www.altaware.com/v/ncp/
Unfortunately, not yet had the time, but if I do I’ll post the results.
I could also give the Cisco VPN setting a try – again, depending on time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: